EU leaders have signed off the withdrawal agreement between the UK and the EU, as well as the political declaration on the framework for the future relationship between the UK and the EU. The political declaration is an outline of what a future EU-UK trade agreement might look like. But the trade agreement has yet to be negotiated and that process won't start until the UK has left the EU on 29th March 2019. If negotiations are quick (and successful) then the intention is that the future trade agreement between the EU and the UK would come into force at the end of the transition period (31st December 2020, but the transition period could be extended).

Next month the withdrawal agreement and the framework for the future EU-UK relationship will be put to the UK Parliament (likely on the 12th December), which will vote on whether to approve them. At the moment, the Parliamentary arithmetic looks worrying for Theresa May. If Parliament votes the deal down then the UK looks to be heading for a constitutional crisis. But we're not there yet, and the Prime Minister is doing her utmost to convince MPs and the public to back the deal. She has also staved off a potential vote of no confidence by Brexit supporting MPs in her own party, unhappy with the withdrawal agreement and the political declaration.

At the same time, the Court of Justice of the European Union is to hear a case on 27th November on the question of whether under Article 50 of the Treaty on European Union, a Member State which has given notice of its intention to withdraw from the EU can unilaterally revoke that notice.

What do the withdrawal treaty and the framework for the future relationship mean for data protection?

If the deal is secured then data flows between the UK and the EU (as well as the rest of the world) continue as normal between the UK's departure from the EU (29th March 2019) and the end of the transition period (ie until 31st December 2020, unless this period is extended).

For the future relationship (i.e. after the transition period), the intention as set out in the political declaration is that data transfers should take place on the basis of an adequacy decision. An adequacy decision means that the European Commission has determined that a country offers an adequate level of data protection, taking into account its domestic legislation and international commitments. This enables personal data to flow freely from the EU to that country. Examples of countries which already benefit from an adequacy decision include Argentina, New Zealand, Canada, and the US (for transfers made to organisations that have certified compliance with the EU-US Privacy Shield).